Knowledgebase

Google Workspace SMTP Relay (IP-Based) — Architecture, Configuration, EHLO / Envelope-From Errors & Fixes

07 Feb 2026 Email & Google Workspace 271 views

This Knowledge Base article provides a technical deep dive into Google Workspace Gmail SMTP Relay (IP-based), covering:

  • SMTP Relay architecture and behavior

    Advertisement

  • Correct configuration for application / portal email

  • Root-cause analysis of 5.7.1 Invalid credentials for relay errors

  • Correct usage of EHLO / HELO hostname and Envelope-From (MAIL FROM)

  • Security considerations and best practices

Target audience:

  • IT professionals

  • System administrators

  • Support and infrastructure engineers

2. Overview: Gmail SMTP Relay Service

What SMTP Relay Is

Gmail SMTP Relay allows servers and applications to send mail through Google’s infrastructure without authenticating as a mailbox user.

Why SMTP Relay Is Used

  • Avoids Gmail per-user sending limits

  • Designed for automated/system email

  • Uses infrastructure trust (IP + domain) instead of passwords

Supported Relay Modes

Relay TypeAuthenticationUse Case
IP-based relaySource IPServers, portals, ERP systems (recommended)
SMTP AUTH relayUsername + passwordLegacy apps, shared hosting

3. Architecture & Message Flow (IP-Based Relay)

Application / Portal Server (Public IP: 203.0.113.10)
        |
        | SMTP (STARTTLS)
        | EHLO example.com
        | MAIL FROM:<mailer@example.com>
        v
smtp-relay.gmail.com
        |
        | Google validates:
        | - Source IP
        | - EHLO domain
        | - Envelope-From domain
        v
Gmail mail infrastructure
        |
        v
Recipient mail servers

4. Use Cases & Supported Environments

Typical Use Cases

  • Order confirmations

  • ERP / CRM notifications

  • Dealer or partner portals

  • Monitoring and alerting systems

  • Password reset and system emails

Supported Environments

  • Cloud VMs (Azure / AWS / GCP)

  • VPS with static outbound IP

  • On-premise servers with NAT

5. Step-by-Step: Enable IP-Based SMTP Relay

5.1 Prerequisites

  • Static outbound IP of sending server (example: 203.0.113.10)

  • Google Workspace admin access

  • DNS control for the domain

5.2 Configure SMTP Relay in Admin Console

  1. Admin Console → Apps → Google Workspace → Gmail

  2. Open Routing

  3. Locate SMTP Relay Service

  4. Add or edit a relay rule

Recommended Settings

  • Allowed senders: Only addresses in my domains

  • Authentication:

    • ✔ Only accept mail from specified IP addresses

    • ❌ Require SMTP Authentication

  • Allowed IP: 203.0.113.10

  • Encryption: Require TLS

Save and allow 5–10 minutes for activation.

6. Application / Portal SMTP Configuration

Required SMTP Parameters

SMTP Host        : smtp-relay.gmail.com
Port             : 587
Encryption       : STARTTLS
SMTP Auth        : OFF
Username         : (empty)
Password         : (empty)

Mandatory Identity Parameters

ParameterRequired Value
EHLO / HELOexample.com
Envelope-From (MAIL FROM)mailer@example.com
From headermailer@example.com
Sender headermailer@example.com

These values must belong to a domain registered in Google Workspace.

7. EHLO / Envelope-From — Technical Explanation

EHLO / HELO

  • SMTP greeting hostname

  • Must match a Workspace domain

  • Invalid examples:

    • localhost

    • server hostname

    • hosting provider name

Envelope-From (MAIL FROM)

  • SMTP-level sender identity

  • Used for SPF, DMARC, and bounce handling

  • Different from the visible “From” header

If either value is missing or mismatched, Google rejects the relay.

8. Common Errors, Root Causes & Fixes

Error

5.7.1 Invalid credentials for relay

Root Causes

  • EHLO hostname not matching Workspace domain

  • Empty or external Envelope-From

  • Application cannot control SMTP identity

Resolution

  • Set EHLO to example.com

  • Explicitly set MAIL FROM to mailer@example.com

  • Test from the actual application (not SMTP test tools)

Error

Relay access denied

Root Causes

  • Incorrect outbound IP

  • NAT or firewall rewriting source IP

Verification

curl ifconfig.me

Ensure output matches the IP registered in SMTP Relay.

9. DNS & Email Authentication Requirements

SPF (Required)

Minimal SPF for Google-only sending:

v=spf1 include:_spf.google.com ~all

DKIM

  • Enable in Admin Console → Gmail → Authenticate domain

  • Strongly recommended for all relay traffic

DMARC (Recommended)

v=DMARC1; p=quarantine; adkim=r; aspf=r; pct=100;

10. Security Considerations & Risks

Security Benefits

  • No stored user credentials

  • IP-restricted sending

  • Domain-level enforcement

Risks & Mitigation

RiskMitigation
IP misuseFirewall + static IP
Spoofed domainsSPF + DKIM + DMARC
Misconfigured appsEnforce EHLO and MAIL FROM

11. Best Practices & Recommendations

  • Prefer IP-based SMTP Relay

  • Avoid using human mailboxes for automation

  • Use a single, consistent sender identity

  • Monitor Email Log Search after changes

  • Keep SPF DNS lookups under 10

  • Avoid generic SMTP testing tools

12. When to Use SMTP AUTH Relay

Use SMTP AUTH relay only if:

  • No static outbound IP is available

  • Application cannot control EHLO / Envelope-From

Trade-off:

  • Easier configuration

  • Slightly reduced trust model

13. Conclusion

Google Workspace SMTP Relay is a domain- and infrastructure-trust system, not a user-authenticated SMTP service.
Successful implementation depends on correct IP authorization, EHLO identity, and Envelope-From alignment.

When configured correctly, SMTP Relay provides:

  • High deliverability

  • No per-user sending limits

  • Secure, scalable email for enterprise applications


#GoogleWorkspace #SMTPRelay #GmailRelay #EmailInfrastructure #ITAdmin #SysAdmin #SMTP587 #STARTTLS #EmailSecurity #SPF #DKIM #DMARC #OutboundRelay #AutomatedEmail #ServerEmail #ERPEmail #PortalEmail #SMTPConfig #MailServer #EmailTroubleshooting #EmailOps #MailRouting #SMTPGuide #GoogleAdmin #EnterpriseEmail #MailDelivery #EmailAuthentication #SMTPError #MailSecurity #Infrastructure #CloudEmail #EmailCompliance #MailArchitecture #SMTPRelayGuide #WorkspaceAdmin #EmailBestPractices #SystemEmail #NotificationEmail #OrderEmail #ITSupport #TechKB #MailOps #SMTPAuth #IPBasedRelay #GmailSMTP

google smtp relay google workspace smtp relay smtp-relay.gmail.com gmail smtp relay ip based google smtp relay invalid credentials 5.7.1 invalid credentials for relay smtp relay ehlo error smtp relay envelope from gmail relay access denied google
Was this article helpful?
Advertisement